4 tips on getting more time in the boardroom for cybersecurity
Here’s a fact to get the conversation going at a dinner party if ever I heard one:
Earlier this year, the Society for Information Management’s 2017 IT Trends Study revealed that cybersecurity is the 3rd largest area of investment for organisations today…just behind business analytics and custom software development.
In 2013, cybersecurity was all the way back in 14th place. That’s quite a jump in the space of four years.
Despite being in 14th place in terms of investment, security was, at the time, the 2nd most important/worrisome area to a Senior IT Leader (just behind business analytics). Perhaps one of the reasons why IT teams were so worried about security, was because they couldn’t get enough investment in it to keep up with the escalation of cyber threats.
Cut to 2017, and IT teams are just as worried about security, but the investment gap has shortened considerably.
One reason for this is that CISOs now have the potential to see exactly which threats and attempted breaches are being targeted at his/her organisation, and which threats are being identified and blocked by their security infrastructure.
If they are set up in this way, they can see and understand the threat landscape, know that their security posture is effective, and can demonstrate the value of their investments to the board. Proving thus that effective security is allowing the company to get on with its business, unaffected by what would otherwise be potentially disruptive attacks.
There’s one fly in the ointment though. According to the Cisco Security Benchmarks Study, UK organisations don’t strongly agree (as much as other countries) that line of business managers are engaged with security.
This is a real problem, because besides the fact that it’s harder to ask for investment, this often means that security often gets “bolted on” rather than embedded in a company’s ecosystem. So, you’re not able to grow as quickly as you would like (often businesses find themselves going back and fixing things, due to cybersecurity concerns.)
For anyone who might be struggling to get more airtime at the board table, or needs some tips on how to best ask for investment, here’s some advice.
- Personalise your business’ cybersecurity risk factors. Just like employers don’t like receiving generic CVs, boards don’t like it when they have to look at stuff that is of little relevance. What does risk mean to you? Are you a retail business that is particularly at risk at peak periods? Are your employees more likely to partake in Shadow IT?
- It’s also important to benchmark this against other companies in your industry. Boards like context – it’s not just your business that needs to mitigate this risk – everyone needs to.
- Even better – add a monetary value on the potential cost of a data breach for this particular risk. Don’t forget to add GDPR fines on top of this, should you be proven to not have had ‘appropriate security’.
- Demonstrate a scenario of a cyber attack. For example – a ransomware attack on an endpoint. Explain how your current security posture would cope with such an attack and, how you could limit the damage with more effective layers of security. Crucially – how quick can you respond? At what point would you know about the threat? What can be done to improve this? Again, put monetary values on the potential downtime/ cost to remove the malware.
For more insights into understanding the threat landscape, and how Cisco can help you find out if your security posture is effective and can demonstrate the value of your investments, take a look at our security page.
The most important thing to bear in mind when asking for more support on cybersecurity, is to keep things simple with a clear call to action. If you don’t know exactly what improvements need to be made, not only are you given the cyber criminals a massive head start, but your board is unlikely to be convinced of the value of the investment.
Done right, cybersecurity can actually give you a strong competitive advantage. It’s no longer about aiming to contribute ‘nothing’, but instead, security is increasingly being used to differentiate companies from their competition.
“We can do this, because we’re secure.” “We can scale that in the cloud, because we’re secure.”
Subpar security leaves companies in the worst possible competitive position: not innovating fast enough to compete, yet not safe enough to handle a cyber attack.
Perhaps that is a factor behind the rapid rise in investment importance for cybersecurity in 2017.
Still, it’s all very well and good to have more of an investment opportunity. CISOs still need to be able to offer a clear reporting structure on what investment they need, in order to best protect their business.
Studies show that almost a quarter of boards are dissatisfied with the level of reporting about cybersecurity. The problem is often a lack of benchmarking, a lack of clarity about what risk factors that particular business is facing, and overall, the reporting is incredibly complicated and difficult to interpret.
For more tips on how to navigate cybersecurity pitfalls for business growth in the UK, take a look at this interactive infographic.Tags:
Nice job, Mik!